Add basic test and change unlock strategy

config/initializers/devise.rb

@@ -205,7 +205,7 @@ Devise.setup do |config|
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  config.unlock_strategy = :time
+  config.unlock_strategy = :none
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.

spec/features/auth/user_lockout_spec.rb

@@ -0,0 +1,26 @@
+require "rails_helper"
+
+RSpec.describe "User Lockout" do
+  let(:user) { FactoryBot.create(:user) }
+  let(:attempt_number) { Devise.maximum_attempts }
+
+  context "when login-in with the wrong password up to a maximum number of attempts" do
+    before do
+      attempt_number.times do
+        visit("/users/sign-in")
+        fill_in("user[email]", with: user.email)
+        fill_in("user[password]", with: "wrong_password")
+        click_button("Sign in")
+      end
+    end
+
+    it "locks the user account" do
+      visit("/users/sign-in")
+      fill_in("user[email]", with: user.email)
+      fill_in("user[password]", with: user.password)
+      click_button("Sign in")
+      expect(page).to have_http_status(:unprocessable_entity)
+      expect(page).to have_content("Your account is locked.")
+    end
+  end
+end